Enabling Mid-Market Companies to Scrut(inize) their Compliance and Infosec Risks — Why We Invested in Scrut Automation

MMV Europe & APAC
6 min readJun 26, 2024

--

In today’s world, the need for a robust Governance, Risk and Compliance (GRC) framework transcends companies of all stage and sizes. GRC automation has emerged as a crucial tool in modern business operations, transforming how organizations manage their regulatory obligations, mitigate risks, and ensure effective governance. Incumbents have built complex solutions to serve the needs of large enterprises, and newer offerings have captured the SMB market by greatly simplifying the process of obtaining compliance certifications (ISO, SOC 2, etc.). However, there exists a white space for offerings catered to mid-market enterprises as they scale across multiple cloud environments and navigate increasingly complex information security needs.

Compliance No Longer Just a “Nice-To-Have”

The increasing threat from cybersecurity attacks and bad actors have resulted in companies increasing their cybersecurity budgets and adherence to compliance standards. Governments and various regulatory bodies worldwide are also putting pressure on businesses to uphold data privacy and security standards, especially when consumer data is involved. Audit standards require compliance to extend to vendors, resulting in enterprises paying closer attention to their technical supply chains and vendors they choose to onboard; non-compliance with these standards could very easily lead to disqualification from a sales process. This evolving compliance and regulatory landscape means that the traditional approach to cybersecurity and compliance — often reactive and piecemeal — is no longer sufficient. Companies now require proactive, comprehensive solutions that not only ensure they adhere to current standards but also equip them to adapt swiftly to future changes. Establishing a robust internal GRC framework is now a cornerstone of every company’s operational and strategic planning.

Existing Solutions Not Built for the Needs of Mid-Market Companies

While numerous GRC management solutions exist, most are designed with either large enterprises or early-stage startups in mind. These solutions often fall short for mid-market companies as their information security footprint becomes increasingly complex with scale.

This means that for mid-market companies, their requirements go beyond compliance with audit standards; deeper and broader control over processes and procedures is needed. These companies will now need to be able to:

  1. Evaluate their current processes and plan for improvements
  2. Identify suitable tools that fits their needs for Risk Management, Asset Discovery, Compliance Monitoring and Reporting (all while being integrated to their existing systems)
  3. Customize configurations to meet their organization’s specific needs (e.g. workflows, templates, reporting mechanisms to align with regulatory requirements and internal policies)
  4. Remediate non-compliance, security risks and misconfigurations in a streamlined and automated fashion

Enterprise solutions like RSA Archer, MetricStream and AuditBoard tend to be complex and expensive point solutions, assuming a level of resources and technical expertise that mid-market companies might not possess. These solutions typically focus on audit preparedness and fits in well with the workflows of large enterprises where GRC and security teams are separate. On the other hand, offerings such as Drata, Sprinto and Vanta found their successes helping startups obtain their required compliance in an efficient and fuss-free manner which forces them to be optimized for ease-of-use. This leaves a gap in the mid-market for a solution that enables companies to not only achieve the compliance they need, but also dynamically maintain and monitor their information security posture as they scale.

Gap in Serving Mid-Market Clients Calls For Risk-First Solution Like Scrut

Recognizing the gap in the market, Scrut tailored its platform as a GRC+ offering, catering to the needs of cloud native, mid-market companies right from day one. The platform strikes the perfect balance between complexity and simplicity, offering the depth of functionality required to manage the spectrum of cybersecurity and information security challenges without overwhelming security teams. With Scrut, information security teams can simply utilize a single window to:

1. Identify their cyber assets and their relationships

2. Identify risks arising from these relationships

3. Define risk management steps and customize controls to the risk posture

4. Automatically map controls against compliance standards

5. Track and assign tasks across teams to remediate any non-compliance

6. Continuously monitor effectiveness of controls and automatically alert against potential deviations

This end-to-end platform enables companies to secure and continuously monitor the majority of their potential sources of information security risks. The Scrut platform also has a rich library of pre-built integrations to facilitate real-time control monitoring across its users’ tech stack.

Special shout-out here to another portfolio company of ours, Zluri, who the Scrut team has been working closely with to augment observability into 3rd party applications.

In investing in Scrut, we see a tremendous opportunity to redefine how risk and compliance is being managed for mid-market companies, empowering security teams to function more efficiently and effectively. Scrut’s innovative approach to GRC management fills a critical gap in the market, enabling mid-market companies to go beyond complying with statutory audit standards by providing them with full visibility and control over their cybersecurity posture. In developing the platform, the team intentionally embraced a ‘risk-first’ approach — putting risk management at the core of product development instead of defaulting to a ‘standards-first’ one that treats compliance as a mere “check-the-box” exercise.

While all these insights provided compelling reasons to invest, our conviction ultimately rested with Aayush, Kush and Jayesh who founded the company back in 2021. Together, they possessed the perfect blend of domain expertise, technical rigor and commercial acumen and have managed to surround themselves with a strong bench of senior executives. Since our initial investment into Scrut in March 2023, the team has consistently demonstrated their excellent execution abilities, not only scaling the business rapidly, but also successfully diversifying their revenue base into other markets.

Our investments in Scrut reflects our belief in the founders and their vision and their ability to execute it. We’re excited to continue to support them as they grow, confident that they are shaping the future of GRC management for mid-market companies across the globe.

--

--

MMV Europe & APAC

MassMutual Ventures is a global venture capital firm, investing in FinTech, SaaS, Digital Health & ClimateTech.